I run a mail server which appears to correctly handle emails with SPF set – however I've started receiving fake emails purporting to be from a bank – with the From address set as the bank – but which definitely do not originate from the bank.
The relevant headers of the email are as follows:
Delivered-To: me@mydomain.name
Received: from mail.mydomain.org (localhost [127.0.0.1])
by mail.mydomain.org (Postfix) with ESMTP id AD4BB80D87
for <user@mydomain.com>; Thu, 13 Oct 2016 20:04:01 +1300 (NZDT)
Received-SPF: none (www.tchile.com: No applicable sender policy available) receiver=mydomain.org; identity=mailfrom; envelope-from="apache@www.tchile.com"; helo=www.tchile.com; client-ip=200.6.122.202
Received: from www.tchile.com (www.tchile.com [200.6.122.202])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.mydomain.org (Postfix) with ESMTPS id 40F6080B9F
for <user@mydomain.com>; Thu, 13 Oct 2016 20:03:57 +1300 (NZDT)
Received: from www.tchile.com (localhost.localdomain [127.0.0.1])
by www.tchile.com (8.13.1/8.13.1) with ESMTP id u9D73sOG017283
for <user@mydomain.com>; Thu, 13 Oct 2016 04:03:55 -0300
Received: (from apache@localhost)
by www.tchile.com (8.13.1/8.13.1/Submit) id u9D73smu017280;
Thu, 13 Oct 2016 04:03:54 -0300
Date: Thu, 13 Oct 2016 04:03:54 -0300
Message-Id: <201610130703.u9D73smu017280@www.tchile.com>
To: user@mydomain.com
Subject: CANCELLATION_PROCESS.
From: KIWI BANK <noreply@kiwibank.co.nz>
Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=029F3E3270D5187AA69203962BF830E3
X-Virus-Scanned: ClamAV using ClamSMTP
The key thing here is that kiwibank.co.nz is a legitimate, reputable bank where I am from, and have an SPF record which reads:
kiwibank.co.nz. 13594 IN TXT "v=spf1 include:_spf.jadeworld.com ip4:202.174.115.25 ip4:202.126.81.240 ip4:202.12.250.165 ip4:202.12.254.165 ip4:66.231.88.80 include:spf.smtp2go.com include:spf.protection.outlook.com -all"
So, after some reading – it appears that the Envolope-From is correct, but the "From" has been faked. Is there any way I can correct/mitigate this without breaking "general" email ? I note that I use Postfix, Spamassassin and policyd (postfix-policyd-spf-perl) – and if its really so easy to bypass, whats the point of SPF?
Best Answer
In this case they probably said to your server something like this:
The SMTP conversation (aka "the envelope") can have different From/To than email headers. SPF doesn't check the header, however it's always the header which is actually displayed to end-user! Yes, SMTP is that broken. Yes, SPF is that broken.
You will be best served by checking DMARC instead of only checking SPF. DMARC by default checks SPF but it also checks the alignment of From header with SMTP MAIL FROM (domains need to match - it ignores the username part). As a bonus you could also get DKIM support, which is a very useful addendum to SPF.
The DMARC would depend on DNS TXT record set at _dmarc.kiwibank.co.nz. but currently there is none. Per current state of Internet regulations that means the owner of kiwibank.co.nz. doesn't care at all about being protected against such spoofs. But you could in some implementations enforce DMARC for all incoming emails.